[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Dereferencing Namespace URIs considered harmful
It would be worthwhile taking a little time to consider the possible security impact of encouraging XML processing software to dereference Namespace URIs as a matter of course. Performing an HTTP GET on an arbitrary URL is not an innocuous action. Most web servers have well known vulnerabilities to various forms of malformed URL. In addition the logs kept by web servers can be and are used to track the progress of HTML formatted email messages - this could easily be extended to track the progress of XML documents (e.g. SOAP messages, XML based EDI documents) providing an attacker with valuable information on the business infrastructure behind the firewall. If processing software uses the Namespace URI to fetch a second XML document and begins to process that document it opens itself up to a number of Denial of Service attacks (feeding the processor an infinitely long document, putting new Namespace URIs in the second document which are the start of an infinitely long chain of URIs). This danger exists at the moment in the form of email clients who accept and display HTML format email messages. It would seem to me to be foolish to extend this danger to mission critical servers processing core business XML documents. John Wilson The Wilson Partnership 5 Market Hill, Whitchurch, Aylesbury, Bucks HP22 4JB, UK +44 1296 641072, +44 7976 611010(mobile), +44 1296 641874(fax)
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|